-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Fri, Feb 09, 2018 at 04:12:57PM -0800, [email protected] wrote:
> On Friday, 9 February 2018 19:02:09 UTC-5, Alex Dubois wrote:
> > On Friday, 9 February 2018 23:59:52 UTC, Alex Dubois wrote:
> > > On Friday, 9 February 2018 16:36:14 UTC, [email protected] wrote:
> > > > Yes, thanks for pointing out the typos. They are only mistakes in this
> > > > post. I use a script running in dom0 to generate pretty much
> > > > everything. The same script works when debian-8 is used. The
> > > > interface is different depending on the template
> > >
> > > I confirm I have the same issue.
> > > Please however note that I have another PCI NIC connected to an AppVM (My
> > > qubes also act as a firewall for home network) and we have no issue
> > > connecting outbound.
> > > Outbound connection as you know do not need the PRE-ROUTING rules, so
> > > also the problem is seen on the FORWARD rule, I suspect more the
> > > PRE-ROUTING rule is at fault and does not do its job.
> > > I'll try to dig into this, however I won't have much time this week...
> >
> > Also, could you clarify if you've tested on FirewallVM and if here again
> > Debian is OK and Fedora not. This might rule out issues with physical cards
> > (which I suspect is not the problem as PRE-ROUTING does get the packet).
>
> Yes, if the template on sys-net is changed to Debian-8, but sys-firewall
> (FirewallVM) is left with fedora... sys-net does send the packet to
> sys-firewall, which then appears the same way... PREROUTING sees it, but
> FORWARD does not.
An idea: Debian don't have nftables installed by default, so
qubes-firewal fallback to iptables. But not on Fedora - there nftables
is used. This applies to both sys-net and sys-firewall.
A quick test:
1. List rules:
nft list table ip qubes-firewall
2. Add rule accepting traffic from eth0:
nft add rule ip qubes-firewall forward meta iifname eth0 accept
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlp+rHcACgkQ24/THMrX
1ywR9gf/RJFy4TVihhweEh7ZqpwKTTD/JNgYCrl2nelvRwxl8awlqL/sxBBTGo39
byprAaL/Oe+6L4aX3d/tfbmpuJ7plHIJvm9PIxQ4SVj46iEcMRJIm1xQCjV8YtFu
bvAna5vrisuUuaEo/Kx1a7ee4gJTjHNUtTgA8N2ar+oL/csG2Vlz38zCVjAD8isf
HoCn8H35V4zvJoVXNuFTpSBplIlxa4ouryBWT9GQktBnZ1OPqdeiKotgFX2N5sJc
z01XQQ83HWJ+1/x+iGI9OoGidBKHI+izjSNhlyO70SW/9L1Xg+2NkaetJcO1VLHI
TaegOvEhZkvw2X6DVeeG5fGk1nYKXQ==
=evy9
-----END PGP SIGNATURE-----
--
You received this message because you are subscribed to the Google Groups
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-devel/20180210002528.GT2070%40mail-itl.
For more options, visit https://groups.google.com/d/optout.
